August 2015 - Posts

One of the things you quickly learn when you work for a data security company is that data security doesn't work the way normal people think it does. For example, "normal people," apparently, think that they can somehow get off the leaked Ashley Madison list, the latest data breach story du jour: Now that the hackers of Ashley Madison have released the full 9.7 gigabytes of information, some former patrons (and current victims/penitents) are searching for hackers that will scrub their info from the list. Which is crazy. And laughable. And not doable. The sitcom Newsradio explained it very well back in the late 1990s:

Like he said. It's like getting pee out of the pool. Most people can probably appreciate the folly of even searching for a "solution" to this problem.

"once information has been sufficiently socialised and redistributed (which the Ashley Madison data has certainly been), the exposure is irretrievable"

But for those who don't get it, and don't understand what the above means (quote from this article), basically, it means you're screwed because the hacked data isn't found in a central depository.

Many people have the information now: Security researchers. Journalists. Bloggers. The honestly curious. Hackers with some kind of agenda. Your girlfriend majoring in comp sci. Sure, a hacker for hire could delete your specific entry from one list. But that leaves a million other lists that are on other people's computers.

Do you really think that a guy you've paid $2000 is going to be able to (and want to) track down all these founts of dismay?

It Extends to People in the Business

This lunacy of unachievable expectations, however, is not relegated to "normal" people. For example, in the course of this business, I have fielded more than a handful of inquiries where callers were looking for "NSA-proof encryption." Such encryption exists…but also doesn't exist.

Let me explain. As the Snowden disclosures have shown over the past couple of years, modern encryption tools like AES are definitely NSA-proof; that is, even the NSA has problems cracking particular encryption algorithms. Because of that, the NSA finds other weak points to exploit outside of encryption itself, such as the inherent weaknesses of passwords; man-in-the-middle attacks; the injection of customized malware; and other forms of procuring the data they need.

So, in this context, what exactly is "NSA-proof encryption?" This is my counter-question to the callers, and the often condescending response coming from the phone's receiver is, "we don't want the NSA to be able to get our data in any way or form." As if it could mean anything else.

Now, as far as I can tell, these callers weren't engaged in illegal activities. So, chances are that the NSA weren't even looking to get their data. But let's say that's not the case. Do these callers really believe that a full disk encryption solution for their laptops will stop the NSA or any intelligence agency worth their salt from acquiring their data, especially when they have so many other tools at their disposal for extracting it? Including the possible use of physical pain?

I tell the callers that we use AES-256, that the disk encryption solution is FIPS 140-2 validated and certified, answer any questions they have, and let the chips fall where they may. If they ask pointedly whether we're "NSA proof,", I answer in the negative. On every single instance, I was given an unmeaning but not unfriendly thanks and never heard from them again.

The kicker: every single one of these people called in inquiring about the AlertBoot partnership program. They were people working in the data security sector. They supposedly knew about data security. They were not "normal" people. They knew better (or, at least, they should have known better).

I personally think of these instances as dodging particularly pernicious bullets. But, the observation remains that, if so-called professionals fail to understand the limits of the security tools that they use, does the general populace stand a chance? Perhaps faeepalming shouldn't be the immediate response to finding out that people are looking to extricate themselves from the Ashley Madison fiasco.

But then, the last ten years have shown us that no company or organization is immune to the ravages of hacking. If top-tier banks and security companies experience data breaches because they can only but curb attempts at stealing data, why would anyone believe that a peccadillo-peddling dot-com would succeed at stopping hackers?

Last week, a Indiana medical firm saw a massive medical data breach that extended throughout the entire U.S. Per online reports, possibly 4 million people in more than 230 hospitals and other healthcare organizations were affected by the breach, which occurred in May of this year.

It's the type of data that sells at a premium in online black markets that, admittedly, are just flooded with such information (and that premium shows how much more in demand detailed medical info happens to be). Needless to say, the company that got hacked – Medical Informatics Engineering (MIE), providers of the NoMoreClipBoard EHR system – went into full damage-control mode, as did its clients.

Where's the Security?

Despite the disastrous results that MIE is seeing, it appears that the company had been as proactive as possible when it comes to data security. For one, they uncovered the breach internally, which contrasts with the many companies who become aware of a data breach only when a third party (like the FBI) gets in touch with them.

Also, forensic analysis shows that the breach took place as early as May 7 and was discovered in May 26. While two-and-a-half weeks is an eternity in internet time, it's also not a bad performance from overworked IT staff (that's not to say that it couldn't be better).

And Encryption?

Of course, if data encryption had been used to protect the information, retrieving useful information would have been harder for whoever hacked MIE. But, encryption was probably not a viable option for the company. The thing to understand about encryption is that it protects data when that data is not being used. (If that's news to you, just give it some thought: encryption works by scrambling information. In order for a legitimate user to work with encrypted data, it has to be unscrambled first; that is, the information is not encrypted).

Now, seeing how medical organizations may need to access patient info in any given 24 hours, MIE would have no option but to ensure that medical information is always accessible. Ergo, it cannot be encrypted, at least not for live databases, which is what the hacker or hackers targeted – the story is different for data going into semi-permanent storage, obviously.

Encryption is Appropriate in Many Cases

Despite what appears to be a terrible flaw regarding cryptographic security, the truth is that encryption is an excellent way to protect data. After all, there's a lot of data out there that's "not being used": when you're not interacting with your smartphone, for example, the contents of your mobile device are data that's not being used.

Same goes for when you're transporting your laptop to and fro from work – it's data that's not being used. (Seriously, you're not one of those types that uses one of these steering wheel trays while driving, right?)

The list of devices that hold data that's not being used (at least a good chunk of the time) is huge: smartphones, external hard disks, small USB flash drives, laptops, backup tapes, tablet computers, data discs, etc. For such devices, encryption is not only an appropriate method for protecting the data, it's considered one of the best (and in some circles, the best).